Is Persona's Observer JavaScript API broken?

Question

When I load a page with a user logged in (and no Persona) the client sends a request with a cookie. The cookie authenticates the user and the server can send a page containing sensitive information for the identified user.

Using Persona with the Observer API I embed a loggedInUser when sending the page to tell Persona who the server thinks is logged in.

A potential problem arises if Persona doesn't think that the loggedInUser is who the server thinks it is. In that case we get an "onLogout" or "onLogin" callback.

If we're meant to take Persona's opinion seriously the safe method to proceed would be:

• send request
• send page without sensitive information
• if Persona agrees on loggedInUser send the sensitive information, otherwise login or logout

This is inefficient as it requires two round trips for a page as well as complicating the web application.

Its very unclear from the Persona documentation what one is meant to do. Simplest is to ignore Persona's theory about who is logged in. But then why such a complicated API?

I'm almost certainly missing something, but this looks broken to me as I've laid it out above.

Answer 1

If I understand your question correctly, you are worried about leaking a user's (User A) sensitive information to another user (User B).

In this case however, I think we can assume that both user accounts are under the control of the same person because the person browsing to your site has a valid cookie for User A and is also logged into Persona as User B. If a person has both of these things, he/she can access both user accounts already, so it's not really leaking User A or User B's information to an unrelated person.

Of course, the cookie could be left over from someone else if it's a shared computer, but in that case, you have bigger problems than just a flash of sensitive info: the user that's now in front of the computer can in fact impersonate the user that left the computer without clearing cookies.